New EU data protection rules were given their final approval by MEPs on Thursday and the countdown for European-based organizations to manage the compliance risk has started. The European Parliament’s vote ends more than four years of work on a complete overhaul of EU data protection rules. The reform will replace the current data protection directive, dating back to 1995 when the Internet was still in its infancy, with a general regulation designed to give citizens more control over their own private information in a digitised world of smartphones, social media, internet banking and global transfers.
The new rules include provisions on:
- A right to be forgotten;
- ‘Clear and affirmative consent’ to the processing of private data by the person concerned;
- A right to transfer your data to another service provider;
- The right to know when your data has been hacked;
- Ensuring that privacy policies are explained in clear and understandable language, and
- Stronger enforcement and fines up to 4 percent of an organization’s total worldwide annual turnover, as a deterrent to breaking the rules.
The new General Data Protection Regulation will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date.
Member states will have two years to transpose the provisions of the directive into national law.
Due to UK and Ireland's special status regarding justice and home affairs legislation, the directive's provisions will only apply in these countries to a limited extent.
Denmark will be able to decide within six months after the final adoption of the directive whether it wants to implement it in its national law.
For European-based organizations the new regulations present an important compliance risk. The threats of non-compliance include reputation damage, and high financial costs. It is important that organizations realise that data does not just include digital data, it also includes written records.
Comments
This legislation will make it harder for businesses to keep their heads in the sand – and it will force the issue of cyber security even further up the food chain. It’s time to stop admiring the problem and to start doing something about it. There will be a huge shakedown in the IT security industry over the coming months, and only those who offer true and sustainable value will survive; because businesses will rely on the security industry to actually tackle the disease, not just deal with the symptoms.
Fraser Kyne, regional SE director at Bromium
This is a great step towards the regulation of data loss, creating a penalty for businesses who choose to not invest in proper security. As we have seen through the first half of 2016, significant data breaches have impacted over 100 million people worldwide, including affecting governments. The Netherlands set the standard by enforcing fines to businesses who were victim to data breaches and, with this now being a standard for the entire EU, will make businesses finally consider the real cost and impact of their decision to not put security as their number one consideration around their IT and Data strategy.
Alex Cruz Farmer, VP of cloud at NSFOCUS IB
The EU General Data Protection Regulation (GDPR) is a call to arms for organizations.
One of the EU's most heavily contested legislations, its controversial requirements threaten significant penalties for businesses worldwide that are non-compliant with data protection rules.
However, it also offers hope by introducing a ‘carrot’ and ‘stick’ approach. A ‘carrot’ recommending ‘pseudonymisation’ to ensure personal information is no longer identifiable - reducing certain obligations on those who follow this approach. A ‘stick’ in the form of a threat surrounding the penalties for businesses that are non-compliant.
For many enterprises, this will mean re-architecting operations to accommodate a data-first approach. The first step will be understanding where all the data sits. The second step will require technology that has the ability to scale and protect all data.
For many, this will require an investment in new technologies like data masking, that can pseudonymise data once and ensure all subsequent copies have the same protective policies applied. Only by taking this course of action, can organizations future proof the business from costly data breaches and ensure compliance with all elements of new and impending regulation.
Iain Chidgey, VP and general manager, International at Delphix.
